Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gradius85
New Contributor III

Reverse Proxy vs One-Arm Reverse Proxy

I am reading over the documentation https://help.fortinet.com/fweb/561/Content/FortiWeb/fortiweb-admin/planning_topology.htm and I need the benefits of Reverse Proxy; however, I do not understand how the One-Arm reverse proxy works. If everything is on the same network segment, then layer 2 frame will just forward out the interface it was seen from. However, there is some warnings about Inline Reverse Proxy, and non HTTP/HTTPS traffic. Does the One-Arm Reverse proxy works when protect servers will be on a different subnet. I imagined this would be installed In-line and create rules that ignore the policy engine when (a)specific server was in destination with (b)specific traffic port. The latter would be no different then forwarding traffic around the unit, but the link to documentation says something about Performance and security.

 

The One-Arm deployment seems like a number policy routes or virtual port forwarding would need to be created. Again, just even sure what the default gateway of servers and the inbound route direction of a One-Arm deployment would look like.

 

What or how have you folks deployed and can you offer any suggestions in deploying Reverse Proxy mode.

 

Thank you

 

1 Solution
Yurisk
Valued Contributor

They (Fortinet) over-complicated this topology by naming it separately - there is no "one arm with reverse proxy" mode of functioning for the FWB. It is just usual Proxy mode with a side-note that the real servers are located on the same network the FWB accepts incoming connections on.  FWB hides the real servers from the client, never mind them being on the same network, by doing Source NAT - this way real servers see clients' connections coming with source IP of the FWB, and are configured to return traffic to the FWB as well and not via some router as default gateway.

 

E.g.

FWB listens on 10.10.10.1

Real servers are on: 10.10.10.2, 10.10.10.3

Admins publish the website example.com A record as 10.10.10.1

Client (IP of 10.10.10.10.100) enters example.com in the browser, her DNS resolves to 10.10.10.1 and FWB receives the client's request with the source IP of 10.10.10.100. Next, the FWB does source NAT   replacing source IP of the request 10.10.10.100 with its own IP 10.10.10.1 and then sends it to servers 10.10.10.2/3, which reply accordingly to FWB to 10.10.10.1. On receiving the reply, FWB sends it to the client with the source IP of 10.10.10.1, everyone is happy.

 

Usually, when vendors speak of "one arm" topologies, they mean that the device is NOT actively participating in the clients' traffic. In FWB this is called Offline mode. IMO they just named it inappropriately in the docs.

 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.

View solution in original post

3 REPLIES 3
Yurisk
Valued Contributor

They (Fortinet) over-complicated this topology by naming it separately - there is no "one arm with reverse proxy" mode of functioning for the FWB. It is just usual Proxy mode with a side-note that the real servers are located on the same network the FWB accepts incoming connections on.  FWB hides the real servers from the client, never mind them being on the same network, by doing Source NAT - this way real servers see clients' connections coming with source IP of the FWB, and are configured to return traffic to the FWB as well and not via some router as default gateway.

 

E.g.

FWB listens on 10.10.10.1

Real servers are on: 10.10.10.2, 10.10.10.3

Admins publish the website example.com A record as 10.10.10.1

Client (IP of 10.10.10.10.100) enters example.com in the browser, her DNS resolves to 10.10.10.1 and FWB receives the client's request with the source IP of 10.10.10.100. Next, the FWB does source NAT   replacing source IP of the request 10.10.10.100 with its own IP 10.10.10.1 and then sends it to servers 10.10.10.2/3, which reply accordingly to FWB to 10.10.10.1. On receiving the reply, FWB sends it to the client with the source IP of 10.10.10.1, everyone is happy.

 

Usually, when vendors speak of "one arm" topologies, they mean that the device is NOT actively participating in the clients' traffic. In FWB this is called Offline mode. IMO they just named it inappropriately in the docs.

 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
gradius85
New Contributor III

Sorry I did not answer sooner, I was on 'lock down' due to C19. This is great news and appreciate your insight.

 

Thank you

MckenzieSawyer
New Contributor

I know that One-Arm does not always work the same with all proxy servers. In this respect, it is not stable enough. I also had problems with proxy server feedback. But they resolved themselves when I decided to switch from free or penny-cost VPN services to soax.com. Subscription to it, of course, is also not worth a lot of money, but it is good, given the quality of the service. It is also supported in almost every country globally, which allows the user to work from anywhere in the world. It is with this service I have no problems with feedback to One-Arm.